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[57] ABSTRACT 

A method and apparatus for -providing cryptographic 
protection of a data stream are described in accordance 
with the Open Systems Interconnection (OSI) model 
for a communication system. This cryptographic pro- 
tection is accomplished on the transmitting side by as- 
signing a packet sequence number to a packet derived 
from a data stream received from a network layer. Sub- 
sequently, a transmit overflow sequence number is up- 
dated as a function of the packet sequence number. 
Then, prior to communicating the packet and the 
packet sequence number on a physical layer, the packet 
is encrypted as a function of the packet sequence num- 
ber and the transmit overflow sequence number. On the 
receiving side, the packet sequence number is extracted 
from the physical layer. In addition, a receive overflow 
sequence number is updated as a function of the packet 
sequence number. Finally, the encrypted packet is de- 
crypted as a function of the packet sequence number 
and the receive overflow sequence number. In addition, 
a transmitting and a receiving communication unit for 
use in a communication system which includes crypto- 
graphic protection of a data stream is described. 



W2 



3 



LAYER 2 



12< 



108- 



122, 



18 Qaims, 1 Drawing Sheet 



m 



^ UYER 3 



1) JL 
o 


24 BIT OVERFLOW 
SEO, NUMBER. 






GENERATE 
ENCRYPT 
MASK 



f« SEGMENT DATA INTO 
^ 21 BYTE PACKETS 

i\6 



OVERFLOW \ ^ 116 



ASSIGN 7-BIT ARQ 
SEQUENCE NUMBER 



128 



zr 



SESSION 
KEY 



WO 



\26 



L 



m 



112 s 



TX ARO BUFFER 



LAYER 1 



LAYER 2 

SESSION 
KEY 

"SI 



158 



164 



CONCATENATE 21 BYTE 
VjPACKETS TO RE-CREATE 
^ DATA STREAM 



GENERATE 
ENCRYPT 
MASK 



178 



24 BIT OVERFLOW 
SEQ. NUMBER 



»74 



166 



X 



H EXTRACT 7-BIT 
ARO SEO NUMBER 



;720VERFL0W 











l-lllll 


RX ARO BUFFER 



LAYER 1 



11/26/2003, EAST version: 1.4.1 



U.S. Patent 



June 7, 1994 



5,319,712 




11/26/2003, EAST version: 1.4.1 



5,319,712 

1 2 

signal, it is not optimized for use with a highly redun- 
METHOD AND APPARATUS FOR PROVIDING dant data stream typical of packctized data communica- 
CRYPTOGRAPHIC PROTECTION OF A DATA tion systems. Packetizcd data adds an additional prob- 
STREAM IN A COMMUNICATION SYSTEM to the typical encryption process. Packets of data 

FTFT n OF XHF 1 WF^TTrnM ^ *^ different times at a subscriber unit or a 

FIELD OF THE INVENTION ^asc site communication unit because of the unrcliabil- 

The present invention relates to communication sys- ity of the physical communication link and because of 

tems wid, more particularly, to cryptographic protcc- the algorithms used to compensate for this unreliability, 

tion within communication systems. These "packctized" data packets merely need to be 

BACKGROUND OF THE INVENTION reassembled in the same order in which they were ere- 

ated. Therefore, a need exists for an encryption tech- 
Many cpmmumcations systems currently use encryp- nique which can alleviate the foregoing problems asso- 
tion to enhance security of the systems. As will be ap- ciated with packctized data, 
preciated by those skilled in the art, these communica- 
tion systems can be described according to the Open SUMMARY OF THE INVENTION 
Systems Interconnection (OSp model which includes ^csc needs and others are substantially met through 
seven layers indudmg an application presentation, s^- ^^e provision of a method and apparatus for providing 
sion, transport, network, link, and physical layer. The ^—i^^^k;^ «f „ j,*, • 
OSI model was developed by the International Organi- Tfv^t!^ ^^^^^ ' ^"""T" 
ration for Standardization (ISO) and is describ«l in 20 ""^f^^" ^y^^^"^; commumcauon system is de- 
"The Basics Book of OSI and Network Management** "^"^^ "^'^^ ?^ Intercon- 
by Motorola Codex from Addison-Wesley Publishing "f^l!^" ^^^^^ f!""^^^ mcludcs seven layers in- 
Company, Inc., 1993 (First Printing September 1992). an application, presentation, session, transport, 
Communication systems include, but are not re- network, link, and physical layer. This cryptographic 
stricted, to cellular radio telephone communication 25 protection is accomplished on the transmitting side by 
systems, personal communication systems, paging sys- assigning a packet sequence number to a packet derived 
tems, as well as wireline and wireless data networks. By ^^^^ * d*ta stream received from a network layer. Sub- 
way of example a cellular communication system will scquently, a transmit overflow sequence number is up- 
bc described below; however, it will be appreciated by dated as a function of the packet sequence number, 
those skilled in the art that the encryption techniques 30 Then, prior to communicating the packet and the 
described can be readily extended to other communica- packet sequence number on a physical layer, the packet 
tion systems without departing from the scope and spirit is encrypted as a function of the packet sequence num- 
of the present invention. ber and the transmit overflow sequence number. On the 
Turning now to cellular communication systems, receiving side, the packet sequence number is extracted 
these systems typically include subscriber units (such as 35 from the physical layer. In addition, a receive overflow 
mobile or poruble units) which communicate with a sequence number is updated as a function of the packet 
fixed network communication unit (i.e.. a base site) via sequence number. Finally, the encrypted packet b dc- 
radio frequency (RF) communication links. In cellular crypted as a function of the packet sequence number 
communication systems, the RF communication link is and the receive overflow sequence number. In addition, 
the pnmary target for cryptographic systems, because it 40 a transmitting and a receiving communication unit for 
IS the most vulnerable to unauthorized introduction in a communication system which includes crypto- 
spoofing) or extraction (eavesdropping) of mforma- ^i, protection of a data stream is described, 
tion. It is well known in the an that information m these 

communication hnks may be cryptographically pro- BRIEF DESCRIPTION OF THE DRAWINGS 

tected by encrypting them with a pseudo-noise (PN) 45 cir- i „ ui^^i, ^ u • r j 

signal which is pseudo-random in nature. For example JJ^' ^ ' ^^"^^ ^1"^""^ ^^T"? ' ^''^^""^^ T 

this may be accomplished by performing an exclusive- ^^^^l""' communication system having cryptographic 

or operation of an information signal with a PN signal. P^^^«<^^»0" °f ^ stream in accordance with the prcs- 

prior to transmission. Subsequently, the inverse opera- "^"^ mvention, 

tion can be performed during the receiving process. . 50 DETAILED DESCRIPTION 

In addition, another encryption technique which is » r • *-.t^ ^ ^ ^ 
used in the authentication process is described in the Rcfemng now to FIG. 1, a preferred embodiment 
United States Digiul Cellular (USDC) standard commumcation system 100 havmg cryptographic pro- 
(known as IS-54 and IS-55) and published by the Elec- ^^^^^ ^ accordance with the present 
tronic Industries Association (EIA), 2001 Eye Street, 55 wvention is shown. The communication system will be 
N.W., Washington. D.C. 20006. The USDC encryption described in the following passages according to the 
technique utilizes a scries ofspecialized messages which model. In this respect, it will be appreciated by 
must be passed between the subscriber unit and a base those skilled in the art that the transmitting portion 102 
site communication unit of the communication system ^^^^ '^"^ \^ycr (i.e., Layer 2) may be located in 
to generate shared secret data (SSD) encryption vari- 60 cither the subscriber communication unit or base site 
ables (i.e., encrypting keys known to a subscriber unit communication unit of a cellular communication sys- 
and a communication unit which form a communication tcm. Similarly, the receiving portion 104 of the data link 
link) for an authentication (i.e., the SSD^ key) and a layer also may be located in either the subscriber corn- 
voice privacy function (i.e., the SSDb key). munication unit or base site communication unit. In 
While the USDC voice privacy encryption process, 65 addition, the direction of transmission between the 
which utilizes a short, non-changing PN sequence that transmitting portion 102 and the receiving portion 104 
is repeatedly used to encrypt each successive voice may be either uplink (i.e.. subscriber unit to base site 
packet, is sufficient for a typically non-redundant voice unit) or downlink (i.e., base site unit to subscriber unit). 
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The preferred embodiment communication system so encrypted is then put into the ARQ transmission 

100 cryptographic protection scheme has been opti- buffer 118 and is transmitted to the Layer 2 receiver 

mized for use in conjunction with a "Description of portion 102 by the ARQ mechanism on Layer 1 112, 

Receiver State Feedback Protocol" proposed by i62. The Layer 2 header information Cmcluding the 

AT&T Bell Laboratories. 1000 East Warrcnvillc Road, 5 sequence number) is not encrypted. Because the en- 

NaperviUc, III. 60566-7013 which was presented to the cryption 120 is done above the ARQ repeat mechanism. 

Telecommunications Industry Association CTIA)- sub- each data segment 126 is encrypted only once no matter 

committee TR45,3.2.5 for Digital Cellular Systems m ^^e ARQ mechanism 112, 118, 162. 168 

SIS*''* ^S^'fT-^v- l^^V' ?^ ^« requires it to be retransmitted across the data link, 

Woodmark Hotel in Kirkland Wash. However, it will lo ^ ^ata Link Layer 2 receiver portion 104, the 

be apprcc ated by those skilled in the art that any auto- * «7l 7^ . ^y^i * i^ivzupuiwu u*c 

matic'repeat request (ARQ) scheme ^y^ uTuhedC; f^^J^.T'r^^i'S ^^^^ 

the preferred etSbodiment described herein by using the receiver buffer 168 is used to 

data packet sequence number (SN) plus an extension for ^""^^ ^""^^1^ ^'^^ 'T'''*''* °i 

the data packet frame counter without departing from 15 P^^^l??* ^^^^ ^^''^''''''^ 

the scope or spirit of the present invention. In addition, Jf^^^^V' ^ ^^"^ 

a synchronous cipher scheme, as is used in the preferred . « mcremcnted if SN has roUed over 

embodiment, can be utilized in conjunction with any (e g^mdicated by an overflow signal 172). SN and the 

packetized data system that applies a sequence number overflow counter are used along with session key (i.e.. 

to each packet. SSl^) to generate 156 the identical pseudo-random 

In FIG. 1, a data stream 108 which comes from Net- stream 178 (i.e., decrypt mask) that was used to 

work Layer 3 110 and goes to Network Layer 3. 160 encrypt the Layer 2 packetized data stream segment 

(renamed data stream 158) is transferred from the Data Subsequently, the packetized data stream segment 178 is 

Link Layer 2 transmitter portion 102 to the Data Link sent to the decryption unit 170 where each of the seg- 

Layer 2 receiver portion 104 reliably using the above- 25 tnents 176 are decrypted in the correct sequence. After 

noted Receiver State Feedback protocol on Physical each segment is decrypted, the Layer 3 data stream 158 

Layer 1 112, 162. The data stream preferably consists of is then reconstructed 164 from the 21 byte length pack- 

a digitized information signal containing system control ets. It should be noted that by placing the decryption 

information, short messages, graphic image informa- above the receiver portion 104 ARQ buffer 168, each 

tion, compressed voice, textual data, and or any other jq data frame is decrypted only once regardless of the 

form of data which can be digitized for transfer over a number of times it is transmitted across the physical 

radio communication link. A pseudo-random bit gener- layer 112, 162 communication link, 

ator 106, 156, respectively, is used to generate an en- It will be appreciated by those skilled in the art that 

crypt mask and a decrypt mask for enciphering and the preferred embodiment cryptographic protection 

deciphering the data stream 108, 158, respectively. In scheme (i.e., a synchronous cipher scheme) which is 

order to accomplish this search pseudo-random bit gen- described above is more robust than non-synchronized 

erator 106, 156 is re-initialized during each data frame encryption scheme which could be implemented in the 

by usmg a session key and a frame number. The session Network Layer 3. For example, in the case of the ARQ 

key preferably is a shared secret data (SSD) key which scheme failing to detect a corrupted data segment, it is 

was denved from a previously completed authentica- probable that an incorrect number of data bytes would 

tion process J)y the commumcation units which are ^ se^t to Layer 3. If the encryption were performed at 

currently performmg the data stream transfer. In addi- L^y^ 3 subsequent data packets would be decrypted 

tion, the frame number preferably ^ a 32 bit number incorrectly when a single packet is lost. However in a 

which IS mamtamcd as a side effect of the ARQ scheme. La 2 encryption, the synchronous cipher restarts the 

T blT b 7 P'"^^'^*'^^ 45 decryption unit 170 for each data segment and only the 

m a e e ow. ^^^^ segment containing the error is lost. All subsequent 

TABLE 1 data frames are decrypted correctly. 

In an alternative embodiment, if no ARQ mechanism 
is used, the data stream 108 can be handled by using a 
similar segment structure at Layer 2 with a sequence 
number SN. However, because there is no automatic 
repeat, each packetized data stream segment is en- 

The upper bit indicates the direction of data stream cryptcd and then transmitted just once. In addition, the 

transfer and is used to prevent repeated use of the same ^V^^ 2 receiving portion 104 expects to receive the 

encryption mask, once in each direction, the lower bits 55 segments (packets) in sequence. Because the sequence 

are identical to the ARQ sequence number SN and the number is large, up to 63 consecutive data segments 

middle bits are an overflow counter, incremented every (packets) can be lost without creating an ambiguity in 

time the sequence number SN rolls over. state of the overflow counter 174 in the receiving 

As can be seen in FIG. 1, the encipherment 120 is portion 104. It should be noted that an exchange of 

performed (e.g., an exclusive-or operation of the packe- 60 acknowledge messages at call startup and following 

tized data stream 126 with the encryption mask 128) on handoffs may be required in order to unambiguously 

the Layer 3 data stream 108 after it has been segmented initialize the overflow counters 124, 174. 

114 into 21 byte packets and a 7-bit long ARQ sequence Another concern is how to handle encryption 

number SN has been assigned 116, but before the data through a communication channel handoff in a cellular 

segment enters the ARQ repeat mechanism 118. When 65 system, the best way to handle this depends upon the 

SN 116 rolls over (e.g., indicated by an overflow signal precise operation of the radio link protocol (RLP) dur- 

122), the 24 bit long overflow counter 124 is incre- ing handoff. However, typically the sequence number 

mented. Each Layer 2 packetized data stream segment SN is reset when establishing a new data link. If that is 
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the way RLP operates, then the overflow counter 
should be initialized to a value which is one greater than 
its value before the handoff. An acknowledged ex- 
change of messages during the handoff also may be 
necessary in order to communicate the state of the over- 5 
flow counters 124, 174. 

The preferred embodiment of the present invention 
may be summarized in reference to FIG. 1 in the follow- 
ing maimer. In a communication system 100 having a 
physical layer (Layer 1), data link layer (Layer 2), and 10 
a network layer (Layer 3), a method and apparati for 
providing cryptographic protection of a data stream are 
shown. The cryptographic protection is provided by 
segmenting 114 a data stream 108 received from the 
network layer 110 into a plurality of packets. A packet 13 
sequence number is assigned 116 to each packet of the 
plurality of packets. In addition, each transmit overflow 
sequence number is updated 124 as a function of each 
packet sequence number. Further, each transmit over- 
flow sequence number is modifled 124 to indicate the 20 
direction of transmission. This direction of transmission 
may be an uplink transmission or a downlink transmis-. 
sion. Each particular packet of the plurality of packets 
is encrypted 120 as a function of a predetermined ses- 
sion key, the packet sequence number associated with 25 
the particular packet, and the modified transmit over- 
flow sequence number associated with the particular 
packet. The encrypted plurality of packets arc buffered 
118 for subsequent transmission. The encrypted pliu^al- 
ity of packets and the packet sequence number associ- 30 
aied with each packet are transmitted on the physical 
layer 112 and 162;. 

In the receiving portion 104, the encrypted plurality 
of packets and the packet sequence number associated 
with each packet are received from the physical layer 35 
into a receiving buffer 168. Each packet sequence num- 
ber is extracted 166 from the receiving buffer. In addi- 
tion, the plurality of packets are organized within the 
receiving buffer 168 to ensure that the plurality of pack- 
ets arc extracted from the receiving bufTer in order by 40 
sequence number. Further, a receive overflow sequence 
number is updated 174 as a function of each packet 
sequence number. The receive overflow sequence num- 
bers are modified to indicate the direction of reception, 
where the direction of reception is either an uplink 45 
reception or a downlink reception. Subsequently, each 
encrypted packet of the plurality of packets in the re- 
ceiving buffer is decrypted 170 as a function of the 
predetermined session key, the packet sequence number 
associated with the particular packet, and the modified 50 
receive overflow sequence number associated with the 
particular packet. Finally, the decrypted plurality of 
packets is concatenated 164 to form a received data 
stream 158 which is sent to the network layer 160. 

Although the invention has been described and illus- 35 
trated with a certain degree of particularity , it is under- 
stood that the present disclosure of embodiments has 
been made by way of example only and that numerous 
changes in the arrangement and combination of parts, as 
well as steps, may be resorted to by those skilled in the 60 
art without departing from the spirit and scope of the 
invention as claimed. For example, the communication 
channel could alternatively be an electronic data bus, 
computer network line, wireline, optical fiber link, sat- 
ellite link, or any other type of communication channel. 65 

What is claimed is: 

1. In a communication system having a physical 
layer, data link layer, and a network layer, a method for 
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providing cryptographic protection of a data stream, 
comprising: 

(a) assigning a packet sequence number to a packet 
derived from a data stream received from the net- 
work layer; 

(b) updating a transmit overflow sequence number as 
a function of the packet sequence number; 

(c) encrypting, prior to communicating the packet 
and the packet sequence number on the physical 
layer, the packet as a function of the packet se- 
quence number and the transmit overflow se- 
quence number; 

(d) extracting the packet sequence number from the 
physical layer; 

(e) updating a receive overflow sequence number as a 
function of the packet sequence number; and 

(f) decrypting the encrypted packet as a function of 
the packet sequence number and the receive over- 
flow sequence number. * 

2. The method of claim 1 wherein: 

(a) the step of updating the transmit overflow se- 
quence number includes modifying each transmit 
overflow sequence number to indicate the direc- 
tion of transmission, the direction of transmission 
being selected from the group consisting of a 
uplink transmission and a downlink transmission; 
and 

(b) the step of updating the receive overflow se- 
quence number includes modifying each receive 
overflow sequence number to indicate the direc- 
tion of reception, 

3. The method of claim 1: 

(a) further comprising the step of buffering the en- 
crypted packet; 

(b) further comprising the step of transmitting the 
encrypted packet and the packet sequence number 
associated with the packet on the physical layer; 

(c) further comprising the step of receiving the en- 
crypted packet and the packet sequence number 
associated with the packet from the physical layer 
into a receiving bufler; and 

(d) wherein the step of extracting comprises extract- 
ing the packet sequence number from the receiving 
buffer. 

4. The method of claim 1 further comprising the steps 
of: 

(a) concatenating the decrypted packet with other 
decrypted packets to form a received data stream; 
and 

(b) sending the received data stream to the network 
layer. 

5. In a communication system having a physical 
layer, data link layer, and a network layer, a method for 
providing cryptographic protection of a data stream, 
comprising: 

(a) segmenting a data stream received from the net- 
work layer into a plurality of packets; 

(b) assigning a packet sequence number to each 
packet of the plurality of packets; 

(c) updating each transmit overflow sequence num- 
ber as a function of each packet sequence number; 

(d) modifying each transmit overflow sequence num- 
ber to indicate the direction of transmission, the 
direction of transmission being selected from the 
group consisting of an uplink transmission and a 
downlink transmission; 

(e) encrypting each particular packet of the plurality 
of packets as a function of a predetermined session 
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key, the packet sequence number associated with the encrypted packet and the packet sequence number 

the particular packet, and the modified transmit associated with the packet on the physical layer, 

overflow sequence number associated with the 9. The transmitting communication unit of claim 6 

particular packet; wherein the physical layer includes a communication 

(0 buffering the encrypted plurality of packets; 5 channel selected from the group consisting of an clec- 

(g) transmitting the encrypted plurality of packets tronic data bus, computer network line, wireline, opti- 
and the packet sequence number associated with caJ fiber link, satellite link, and a radio communication 
each packet on the physical layer; link. 

(h) receiving the encrypted plurality of packets and 10. The transmitting communication unit of daim 6 
the packet sequence number associated with each 10 wherein the communication unit is selected from the 
packet from the physical layer into a receiving group consisting of the subscriber communication unit 
buffer; and the base site communication unit of the communica* 

(i) extracting each packet sequence number from the tion system. 

receiving buffer; 11. A receiving communication unit for providing 

0) organizing the pluriality of packets within the re- 15 cryptographic protection of a data stream in a commu- 

ceiving buffer to ensure that the plurality of pack- nication system havmg a physical layer, data link layer, 

cts are extracted from the receiving buffer in order and a network layer, receiving communication unit 

by sequence number; comprising a data link layer device having: 

(k) updating a receive overflow sequence number as a (a) extracting means for extracting a packet sequence 

function of each packet sequence number; 20 number from the physical layer; 

0) modifying each receive overflow sequence num- (b) updating means, operatively coupled to the ex- 

ber to indicate the direction of reception, the direc- tracting means, for updating a receive overflow 

tion of reception being selected from the group sequence number as a function of the packet se- 

consisting of an uplink reception and a downlink quencc number; and 

reception; 25 (c) decrypting means, operatively coupled to the 

(m) decrypting each encrypted packet of the plurality extracting means and the updating means, for de- 

of packets in the receiving buffer as a function of crypting an encrypted packet as a function of the 

the predetermined session key, the packet sequence packet sequence number and the receive overflow 

number associated with the particular packet, and sequence number. 

the modified receive overflow sequence number 30 12. The receiving communication unit of claim 11 

associated with the particular packet; wherein the data link layer device updating means com- 

(n) concatenating the decrypted plurality of packets prises means for modifying each receive overflow se- 

to form a received daU stream; and quence number to indicate the direction of reception, 

(o) sending the received data stream to the network the direction of reception being selected from the group 

layer. 35 consisting of a uplink reception and a downlink recep- 

6. A transmitting communication unit for providing tion. 

cr>'ptographic protection of a data stream in a commu- 13. The receiving communication unit of claim 11 

nication system having a physical layer, data link layer, further comprising a physical layer device, operatively 

and a network layer, transmitting communication unit coupled to the data link layer device, having a receiving 

comprising a data link layer device having: 40 means for receiving the encrypted packet and the 

(a) assigning means for assigning a packet sequence packet sequence number associated with the packet into 
number to a packet derived from a data stream a receiving buffer and wherein the data link layer ex- 
received from the network layer; tracting means comprises means for extracting the 

(b) updating means, operatively coupled to the as- packet sequence number from the receiving buffer, 
signing means, for updating a transmit overflow 45 14. The receiving communication unit of claim 11 
sequence number as a function of the packet se- wherein the physical layer includes a communication 
quence number; and channel selected from the group consisting of an elec- 

(c) encrypting means, operatively coupled to the tronic data bus, computer network line, wireline, opti- 
assigning means and the updating means, for en- cal fiber link, satellite link, and a radio communication 
crypting, prior to communicating the packet and 50 link. 

the packet sequence number on the physical layer, 15, The receiving communication unit of claim 11 

the packet as a function of the packet sequence wherein the communication unit is selected from the 

number and the transmit overflow sequence num- group consisting of the subscriber communication unit 

bcr. and the base site communication unit of the communica- 

7. The transmitting communication unit of claim 6 55 tion system. 

wherein the data link layer device updating means com- 16. The receiving communication unit of claim 11 

prises means for modifying each transmit overflow wherein the data link layer device further comprises: 

sequence number to indicate the direction of transmis- (a) concatenating means, operatively coupled to the 

sion, the direction of transmission being selected from decrypting means, for concatenating the decrypted 

the group consisting of a uplink transmission and a 60 packet with other decrypted packets to form a 

downlink transmission. received data stream; and 

8. The transmitting communication unit of claim 6 (b) sending means, operatively coupled to the concat- 
wherein the data link layer device further comprises a enating means, for sending the received data 
buffer means, operatively coupled to the encrypting stream to the network layer. 

means, for buffering the encrypted packet and the trans- 65 17. In a communication system having a physical 

milling communication unit further comprises a physi- layer, data link layer, and a network layer, a method for 

cal layer device, operatively coupled to the data link providing cryptographic protection of a data stream, 

layer device, having transmitting means for transmitting comprising: 
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(a) assigning a packet sequence number to a packet 
derived from a data stream received from the net- 
work layer; 

(b) updating a transmit overflow sequence number as 5 
a function of the packet sequence number; and 

(c) encrypting, prior to communicating the packet 
and the packet sequence number on the physical 
layer, the packet as a function of the packet sc- jq 
quence number and the transmit overflow se- 
quence number. 
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18. In a communication system having a physical 
layer, data link layer, and a network layer, a method for 
providing cryptographic protection of a data stream, 
comprising: 

(a) extracting a packet sequence number from the 
physical layer; 

(b) updating a receive overflow sequence number as a 
function of the packet sequence number; and 

(c) decrypting an encrypted packet as a function of 
the packet sequence number and the receive over- 
flow sequence number, 

« • » « « 
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